Author Archive - David Sancho (Senior Threat Researcher)

The biggest security headache that consumers face on a regular basis may well be… the password. You need one to do just about anything online nowadays. This makes them very valuable targets of theft – as the news that “1.2 billion” passwords were stolen highlights. Unfortunately, remembering passwords for all the sites that people use every day can be a challenge.

With that in mind, I was interested when I heard about a paper that discussed how users manage multiple passwords. Unfortunately, this paper from Microsoft and Canadian researchers doesn’t actually provide very good advice, and may in fact promote dangerous practices.

Let me summarize the paper for those who haven’t read it: they suggest that users are incapable of following both of the key tenets of password security: that passwords must be secure (i.e., not easily found with a dictionary-based search), and that they must not be shared. The researchers suggest that users decide which accounts need to be protected with secure passwords; the other accounts can be protected with ordinary passwords that don’t have to be unique or secure.

This idea only works if you accept as a fact that the user is incapable of remembering secure passwords. However, that’s why password managers exist. This idea that a user must rely on their unaided memory is simply wrong. The computer – whether it’s a PC, tablet, or smartphone – is an extraordinarily powerful tool. Why not use it?

Yes, these managers are not perfect. Just last month, another group of researchers found vulnerabilities in several online password managers. However, they’re still a significant improvement over trying to remember passwords by rote memory, and it’s a gigantic improvement over using poor passwords. The perfect should not be the enemy of the good.

I try to make the advice I give as clear as possible. Whether or not that was their intention, studies like this muddle the water and send the message that bad passwords are okay. It depends on the user discriminating between what needs to be secure and what isn’t. However, many users are likely to trade convenience for security and choose weak passwords instead. It’s human nature to do so. Sadly enough, the users most likely to choose weak passwords are also the ones who are likely to fall victim to various online threats.

Let’s say, however, that someone really doesn’t want to use a password manager. That doesn’t mean you need to use a bad, recycled password. Consider this procedure:

Choose a simple password you already use. Let’s take “Snoopy2″ as an example.

Create an algorithm in your mind that uses the full domain name of the website you’re protecting. So, for example, it can be: “two first letters, two last letters and the number of letters it has, first letter in uppercase”. “twitter.com” becomes “Twer7″. It can be any algorithm you want, so long as you remember it.

Choose a number has means something to you. Your birthday, the age at which you met your husband, whatever. Let’s say I use the number “32”.

Put it all together. My password for twitter would be “Twer7snoopy232″. My next password for “awesomecyclingforum.com” would be “Awum19Snoopy232″. If I ever need to change it, just add one to the last number… or 7. It’s up to you.

The bottom line is: one day we won’t have to use passwords to log into sites anymore. That day, however, is not today. We’re still stuck with passwords, and we need to provide the best advice to users on how to create good passwords. A mixed message – like the one promoted by these researchers – is unhelpful at best, and wrong-headed at worst.

Like Swiss Emmental cheese, the ways your online banking accounts are protected might be full of holes. Banks have been trying to prevent crooks from accessing your online accounts for ages. Passwords, PINs, coordinate cards, TANs, session tokens – all of these were created to help prevent banking fraud. We recently come across a criminal operation that aims to defeat one of these tools: session tokens. Here’s how they pull it off.

This criminal gang intents to target banks that use session tokens sent through SMS (i.e., text messaging). This is a two-factor authentication method that utilizes users’ phones as a secondary channel. Trying to log into the banking site should prompt the bank to send users an SMS with a number. Users need to enter that number along with their regular username and password in order to transact with the bank. By default, this is used by some banks in Austria, Sweden, Switzerland, and other European countries.

Cybercriminals spam users from those countries with emails spoofing well-known online retailers. The users click a malicious link or attachment and get their computers infected with malware. So far, all this is fairly typical and from a threat perspective, a bit boring.

But here’s where it gets interesting. The users’ computers don’t really get infected—not with the usual banking malware, anyway. The malware only changes the configuration of their computers then removes itself. How’s that for an undetectable infection? The changes are small…. but have big repercussions.

Here’s how it works: the users’ computers’ DNS settings are changed to point to a foreign server controlled by the cybercriminals. The malware installs a rogue SSL root certificate in their systems so that the malicious HTTPS servers are trusted by default and they see no security warning.

Figure 1. What happens in the 2-factor authentication process when the PC is infected in Operation Emmental

Now, when users with infected computers try to access the bank’s website, they are instead pointed to a malicious site that looks like that of their bank. So far, this is just a fancy phishing attack but these criminals are much more devious than that. Once the users enter their credentials, they are instructed to install an app on their smartphone.

This malicious Android app is disguised as a session token generator of the bank. In reality, it will intercept SMS messages from the bank and forward them to a command-and-control (C&C) server or to another mobile phone number. This means that the cybercriminal not only gets the victims’ online banking credentials through the phishing website, but also the session tokens needed to bank online as well. The criminals end up with full control of the victims’ bank accounts.

The criminals behind this particular operation target Internet users in Switzerland, Austria, and Sweden. Just this May, they added Japanese Internet users to their list of potential victims. We were able to trace the operators back to online nicknames:-=FreeMan=-andNorthwinds. These actors has been active since 2011. Back then, they spread off-the-shelf malware like SpyEye and Hermes. Looking at the binaries that were recently deployed, we think the actors made use of at least two different crypting services. One of these crypting services is run by an individual from Uzbekistan. We have not been able to identify the other crypting service.

Every now and then, we get questions about password crackers. Usually, these questions are something like, why do you detect these password crackers? They’re not malicious! Well, now is as as good a time as any to address the topic.

Obviously, password-cracking programs are not terribly malicious. Unless they have been trojanized or manipulated somehow, they just… crack passwords. Usually, given a password-protected file, they try different possibilities to recover that pesky password you forgot. I’m the first to admit that even though it might not be the best use of your computing power, it’s not terribly bad either.

However, there is a catch. Password-crackers and other software made for network administrators are often seen as part of attacks. This applies to other administration tools as well.

We have seen everything being used as tools in the attacker’s arsenal: from remote session helpers to file server programs and, yes, password crackers. Often times, a trojan will spearhead the attack and once it’s into the victim’s network, it will download other tools to help it further its objectives. For instance, if the attacker stumbles upon a password-protected file, he might think that’s precisely where the interesting stuff is, and use… a password cracker.

This brings me to the second (though admittedly similar) malicious use of admin tools: targeted attacks. These usually allow the attacker to connect remotely to the victim and then move laterally inside the network looking for information to steal. In this mission, the attacker might drop in several reconnaissance and offensive tools. Among these – yes, you guess it – password crackers.

A targeted attack is not just about the “tools” used, even if they are legitimate. It is about who is carrying out the attack. Just because a particular tool started out as a legitimate product does not mean it is always used that way.

Because of how password crackers are abused in the wild, it makes perfect sense for us to detect them and prevent our customers from running them on their machines. At the end of the day, our customers are masters of their own machines – they can always create an exception for a password cracker if they have a legitimate use for it on their networks.

We don’t think the freedom of letting common hacker’s tools loose in your network is worth the risk they involve. Dynamite has good uses too, but we try not to store it in our homes.

For users who are not system administrators, the biggest impact of the Heartbleed vulnerability has been all the passwords that they have had to change. This, together with improvements in alternative authentication methods (like the fingerprint scanners now embedded in flagship smartphones), have caused some rather bold statements about passwords to be made.

Passwords are out of fashion? Obsolete in the short term, I hear some people say? Not so fast! While it’s true that passwords are not the most convenient way of authenticating yourself and they are inherently insecure, we should not be so quick to dismiss them.

The main advantage of passwords is that everybody can use them straight away. There is no need to tie yourself to a specific authentication token (“I could swear it was in my bag this morning!”), location (“I can’t log in from the hotel, I forgot I enabled that security feature!”), or smartphone (“I let my phone’s battery go dead!”). It might seem odd to some, but forcing users to own a smartphone – or asking a company to provide their employees with one – might be too costly.

Even if passwords are supplemented by other authentication methods, passwords will still be around as a secondary method. What would happen otherwise when your phone or hardware token gets stolen? We are simply not ready for a world without passwords, much as we’d like to get rid of them.

If that’s the case, we might as well learn how to use them properly. It’s not that difficult:

First, use a different password for each online service. If you’re trying to do this manually, it becomes difficult – which is why the best way to do this is to use a password manager. There are multiple options available, many of which are free.

Secondly, once you are using a password manager, use a long, hard-to-guess master password for it. If it’s anywhere in a dictionary, it’s not a good password. Here’s one way to come up with a secure master password: use the initials of a very long sentence. Imagine there’s no heaven; It’s easy if you try; No hell below us; Above us only sky. Add commas and other punctuation for added difficulty and bonus points: Itnh,ieiyt;nhbu,auos! That’s a better password than what most people use.

Thirdly, don’t rely on passwords alone. Yes, we said that passwords won’t be going away soon – but if you can, use what second factor of authentication is available. A smartphone is a good choice, as many services can use one to authenticate – whether it’s via an app or text messages.

I don’t think passwords are going to fall out of fashion anytime soon, if only for the ease of use. This isn’t to say that they will be the only authentication method used – and they shouldn’t be. Complementing them with more factors (two or three!) is the way to go, in my opinion.

Windows end of support this, Windows end of support that… a lot of people in the IT field are writing about how Windows XP will be unsupported tomorrow. Why is this a big deal? Like any other software, operating systems evolve and it takes too much effort for the companies who created them to keep supporting older versions as time goes on.

All Windows versions eventually become obsolete – try to call Microsoft today about that Windows 95 problem you still have and see what kind of response you’ll get. Windows XP, however, is a completely different case. Usually, when support for a Windows version ends that particular version is no longer used in great numbers.

That’s not the case here. Depending which source you use, Windows XP is still in use in at least 18%, to as much as 28%, of all PCs worldwide. Yes, hard as it is to imagine, somewhere around a fifth or fourth of all PC use an operating system that was released in 2001.

When Microsoft leaves these users out in the cold after April 8, any security problem they have in the future will be left unpatched; those millions of PCs will not have any available Microsoft-supplied fixes. Of course, you can still use antivirus software and be protected that way, but newly-discovered security holes in the operating system will not be fixed and therefore will be left wide open for attackers to use.

Why are so many people still using a 13-year-old operating system, I hear you ask? Many of these users fall into three groups. What do each of these groups need to know now that patches are no longer coming?

Group 1 – Simple users that consider the OS a mere tool.

Many of the remaining users of XP have a very practical view of their machines. Their philosophy is, “if I have a screwdriver that works, why bother buying a new one 10 years down the line if the old one still works”. Their XP machine does what they need and they’re happy enough with it.

The problem with this line of thinking is that modern operating systems do get old with time. The screwdriver analogy is flawed in; it’s something extremely simple that never needs an upgrade. Try something more complex for an analogy; how about prescription glasses?

They become obsolete after a while – either when they get out of fashion, or your eyes change (normally for the worse, unfortunately). Imagine you’re left with old prescription glasses that only one optician can change and this optician goes out of business. You’re on your own. Same with Windows XP.

If you’re in this situation, maybe it’s time to consider a simpler computing device. If all you do on your PC is check your email and go on social media, maybe it’s time to consider using a tablet instead of a PC.

Group 2 – Users with a genuine need for Windows XP

The ancient OS has become the only tool that this particular group of people can use. Think ATMs, POS systems, medical devices, certain machines that are not easily upgradable, or whose hardware is too old for a newer operating system.

In some cases, virtualizing the OS might do the trick. Combined with a product that blocks attacks against the virtualized environment, this setup might be able to keep attacks at bay. Isolating them from the Internet is also a possibility, though not always realistic. Users on these systems will need to be especially cautious with everything that goes in and out of these devices, whether online (the Internet) or offline (removable media, etc.)

Regular, even daily backups can help here. Pray a lot, as in this situation your margin for error is frighteningly small.

Group 3 – Enterprise users

The last group of Windows XP users are enterprises that haven’t gotten around to upgrading their large installations of Windows XP.

We feel your pain. Upgrading hardware is never easy, training the users might take time, budget is tight, those kinds of excuses. Well, just remember this: if you have to recover after a massive attack, excuses won’t mean much. We’ve known for years that Windows XP’s support would be ending now; there’s very little excuse for not being prepared for it.

You have to think that while you’re using Windows XP out of support, any zero-day attacks (and there is a very good chance there will be some) will not be solvable. Yes, you can temporarily manage the risks, but that’s not a permanent solution. It is like having a big crack in your wall that you can patch over with wallpaper for a while, but nobody will ever be able to repair. Enough said.